[midPoint] Authorization to run report - Users is MidPoint

Lubomir Odlevak odlevak.lubomir at gmail.com
Wed Sep 18 10:32:30 CEST 2019 

I have added following authorization to end user role to run report Users
in MidPoint:
    <authorization id="46">
        <name>Allow all objects</name>
        <action>
http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#rawOperation
</action>
        <action>
http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read
</action>
        <action>
http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#search
</action>
        <action>
http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#get
</action>
        <object id="7">
            <type>UserType</type>
        </object>
        <object id="8">
            <type>LookupTableType</type>
        </object>
        <object id="9">
            <type>ShadowType</type>
        </object>
        <object id="10">
            <type>ValuePolicyType</type>
        </object>
        <object id="11">
            <type>ConnectorType</type>
        </object>
        <object id="13">
            <type>ResourceType</type>
        </object>
        <object id="21">
            <type>RoleType</type>
        </object>
        <object id="22">
            <type>OrgType</type>
        </object>
        <object id="45">
            <type>FocusType</type>
        </object>
        <object id="17">
            <type>ReportOutputType</type>
        </object>
        <object id="18">
            <type>ReportType</type>
        </object>
<object id="19">
            <type>TaskType</type>
        </object>
    </authorization>
   <authorization id="39">
        <name>Allow run report</name>
        <action>
http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#runReport
</action>
    </authorization>

TC:
I login as end user in mP. I go  to reports sections and choose  Users in
MidPoint. I set parameter Activation to ENABLED and run report (others
fields are empty). Report runs ok.

But, if i have mP users with some projections (they have xml tag <link ref>
filled in xml) then report does not run correctly and throws error message:
[PROVISIONING] [midPointScheduler_Worker-7] ERROR
(com.evolveum.midpoint.provisioning.impl.ProvisioningServiceImpl): Could
not search objects: Resource not defined in a search query
com.evolveum.midpoint.util.exception.SchemaException: Resource not defined
in a search query

But, if i run mentioned report with superuser role (for example as mP
administrator) report runs OK.

I have analyzed log (com.evolveum.midpoint.security: TRACE) but i haven't
find any solution yet.
mP env: 3.9; 4.0

Any idea which authorization could help ? Appreciate any help.

Regards,
Lubomir Odlevak
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20190918/9fa1a0c8/attachment.htm>

More information about the midPoint mailing list